IAMGlobalRoleBinding resource

IAMGlobalRoleBinding is the Cluster (non-namespaced) object that should be used for global role bindings in all namespaces. This object is accessible to users with the global-admin IAMRole assigned through the IAMGlobalRoleBinding object. The object contains the following fields:

• apiVersion

  API version of the object that is iam.mirantis.com/v1alpha1.

• kind

  Object type that is IAMGlobalRoleBinding.

• metadata

  Object metadata that contains the following field:

  • name

    Role binding name. If the role binding is user-created, user can set any unique name. If a name relates to a binding that is synced by user-controller from Keycloak, the naming convention is <username>-<rolename>.

• role

  Object role that contains the following field:

  • name

    Role name.

• user

  Object name that contains the following field:

  • name

    Name of the iamuser object that the defined role is provided to. Not equal to the user name in Keycloak.

• legacy

  Defines whether the role binding is legacy. Possible values are true or false.

• legacyRole

  Applicable when the legacy field value is true. Defines the legacy role name in Keycloak.

• external

  Defines whether the role is assigned through Keycloak and is synced by user-controller with the MOSK API as the IAMGlobalRoleBinding object. Possible values are true or false.

Caution

If you create the IAM*RoleBinding, do not set or modify the legacy, legacyRole, and external fields unless absolutely necessary and you understand all implications.

Configuration example:

apiVersion: iam.mirantis.com/v1alpha1
kind: IAMGlobalRoleBinding
metadata:
  name: userone-global-admin
role:
  name: global-admin
user:
  name: userone-f150d839
external: false
legacy: false
legacyRole: “”